Proactive Honeypots

Honeypots sit on a server and wait for intrusion attempts. When one occurs, they can perform a variety of actions. But what if a honeypot did the inverse--headed out on the Web to look for intruders? Microsoft has developed a new tool, Strider HoneyMonkey Exploit Detection System, that runs as a Web client by using "monkeys" to surf the Web for malicious Web-based content.

HoneyMonkey's monkeys are programs that automate Web surfing and exploit detection. Instead of relying on databases of known exploits and malware, the monkeys launch a browser, connect to a site via its URL, and then wait for something to happen. The programs also monitor all file and registry access. Because the monkeys aren't designed to click links or dialog boxes on sites, it can be reasonably assumed that any executable file downloads or registry changes during monkey Web sessions might be hostile in one way or another.

Microsoft says that HoneyMonkey also works in conjunction with Strider GhostBuster and Strider Gatekeeper to detect hidden processes and hooks that might use autostart features of the OS. HoneyMonkey runs inside a virtual machine (VM), which makes cleaning up after any potential exploit or infection much easier. When exploits are detected, HoneyMonkey alerts a controller, which destroys the VM, launches a new, fully patched VM, and passes the URL to another monkey. If an exploit is still detected, HoneyMonkey concludes that it's found a new (or zero-day, if you prefer) exploit and passes it on to Microsoft's Security Response Center for further research.

HoneyMonkey works sort of like a search engine spider. It follows links and redirects at a detected exploit site to find more suspect sites. According to Microsoft, such sites often link to each other; if one site's exploit doesn't work, another site's might.

Microsoft said that after a month of use, HoneyMonkey discovered 752 URLs at 287 sites that can infiltrate an unpatched system running Windows XP. Of that lot, 204 URLs at 115 sites can infiltrate a system running XP with Service Pack 2 (SP2) and no additional patches. Microsoft said that the first new exploit was detected in July. It used known vulnerabilities in javaprxy.dll, for which no patch was available. Microsoft then created a patch, which was released in conjunction with Microsoft Security Bulletin MS05-037, "Vulnerability in JView Profiler Could Allow Remote Code Execution (903235)."

http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx

Here's some interesting information: Of those 752 URLs, 102 of them were available via search results at Google and 100 of them were available at Yahoo!. As of June 1, 49 of them were available at MSN Search, but by June 10, Microsoft had removed all 49. The company didn't say whether it shared its information with other search engine operators so that they could remove the URLs from their respective engines.

If you're interested in learning more about HoneyMonkey, visit the Microsoft Research Web site and click the link "Full research technical report on Strider HoneyMonkey" for a paper that contains a lot more detail.